Lots of work and analysis by "xbx___" in bug #1431750

(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two different but related bugs: 1) Removing an easy handle from a multi handle before the transfer is done could leave a connection in the connection cache for that handle that is in a state that isn't suitable for re-use. A subsequent re-use could then read from a NULL pointer and segfault. 2) When an easy handle was removed from the multi handle, there could be an outstanding c-ares DNS name resolve request. When the response arrived, it caused havoc since the connection struct it "belonged" to could've been freed already. Now Curl_done() is called when an easy handle is removed from a multi handle pre-maturely (that is, before the transfer was complteted). Curl_done() also makes sure to cancel all (if any) outstanding c-ares requests.
author: Daniel Stenberg <daniel@haxx.se> 2006-02-23 12:20:48 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2006-02-23 12:20:48 +0000
commit: 6fdbb011948cc9fd2cadff04b230427cf02dbd7d (patch)
tree: 2aa747888250eab64d0bc6f0262790f8bfe77c26
parent: d29147565c000c01a5ac20b12993c8fd726b1fa2 (diff)
5 files changed, 32 insertions, 4 deletions
diff --git a/CHANGES b/CHANGES
index 742d01f9b..0b2833950 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,25 @@
 
                                   Changelog
 
+Daniel (22 February 2006)
+- Lots of work and analysis by "xbx___" in bug #1431750
+  (http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
+  different but related bugs:
+
+  1) Removing an easy handle from a multi handle before the transfer is done
+     could leave a connection in the connection cache for that handle that is
+     in a state that isn't suitable for re-use. A subsequent re-use could then
+     read from a NULL pointer and segfault.
+
+  2) When an easy handle was removed from the multi handle, there could be an
+     outstanding c-ares DNS name resolve request. When the response arrived,
+     it caused havoc since the connection struct it "belonged" to could've
+     been freed already.
+
+  Now Curl_done() is called when an easy handle is removed from a multi handle
+  pre-maturely (that is, before the transfer was complteted). Curl_done() also
+  makes sure to cancel all (if any) outstanding c-ares requests.
+
 Daniel (21 February 2006)
 - Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
   type to the already provided type CURLPROXY_SOCKS4.
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 943b6b5ed..aeb78c4db 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -22,6 +22,8 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o two bugs concerning using curl_multi_remove_handle() before the transfer
+   was complete
  o multi-pass authentication and compressed content
  o minor format string mistake in the GSS/Negotiate code
  o cached DNS entries could remain in the cache too long
diff --git a/lib/hostip.h b/lib/hostip.h
index 3baf8284b..62c6721e1 100644
--- a/lib/hostip.h
+++ b/lib/hostip.h
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -82,6 +82,7 @@
 #define CURL_ASYNC_SUCCESS ARES_SUCCESS
 #else
 #define CURL_ASYNC_SUCCESS CURLE_OK
+#define ares_cancel(x)
 #endif
 
 /*
diff --git a/lib/multi.c b/lib/multi.c
index a7d1988d6..6213fede4 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -92,10 +92,10 @@ struct Curl_one_easy {
   int msg_num; /* number of messages left in 'msg' to return */
 };
 
-
 #define CURL_MULTI_HANDLE 0x000bab1e
 
-#define GOOD_MULTI_HANDLE(x) ((x)&&(((struct Curl_multi *)x)->type == CURL_MULTI_HANDLE))
+#define GOOD_MULTI_HANDLE(x) \
+  ((x)&&(((struct Curl_multi *)x)->type == CURL_MULTI_HANDLE))
 #define GOOD_EASY_HANDLE(x) (x)
 
 /* This is the struct known as CURLM on the outside */
@@ -245,6 +245,8 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle,
     Curl_easy_addmulti(easy->easy_handle, NULL); /* clear the association
                                                     to this multi handle */
 
+    Curl_done(&easy->easy_conn, easy->result);
+
     /* make the previous node point to our next */
     if(easy->prev)
       easy->prev->next = easy->next;
diff --git a/lib/url.c b/lib/url.c
index 0c0933ca8..60172b395 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3654,7 +3654,7 @@ static CURLcode CreateConnection(struct SessionHandle *data,
   /* Continue connectdata initialization here.
    *
    * Inherit the proper values from the urldata struct AFTER we have arranged
-   * the persistent conncetion stuff */
+   * the persistent connection stuff */
   conn->fread = data->set.fread;
   conn->fread_in = data->set.in;
 
@@ -3999,6 +3999,10 @@ CURLcode Curl_done(struct connectdata **connp,
 
   Curl_pgrsDone(conn); /* done with the operation */
 
+  /* for ares-using, make sure all possible outstanding requests are properly
+     cancelled before we proceed */
+  ares_cancel(data->state.areschannel);
+
   /* if data->set.reuse_forbid is TRUE, it means the libcurl client has
      forced us to close this no matter what we think.
author	Daniel Stenberg <daniel@haxx.se>	2006-02-23 12:20:48 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2006-02-23 12:20:48 +0000
commit	6fdbb011948cc9fd2cadff04b230427cf02dbd7d (patch)
tree	2aa747888250eab64d0bc6f0262790f8bfe77c26
parent	d29147565c000c01a5ac20b12993c8fd726b1fa2 (diff)